Exposing a Domains Portfolio Known to Belong to the Russian Business Network's 
Support Center - An OSINT Analysis 
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We've decided to take a deeper look inside the Internet-connected infrastructure of the infamous 
Russian Business Network’s support center online with the idea to provide actionable 
intelligence on its Internet-connected infrastructure with the idea to assist the security industry 
on its way to monitor and track down and act upon current and upcoming campaigns courtesy of 
the Russian Business Network. 


Sample domains known to have been involved in the campaign include: 


spywarelocked.com 
virusprotectpro. biz 
spylocked.com 
virusprotectpro.com 
techdownloads.org 
srv4u.biz 
bulletproof-service.com 
abdulla.cc 
tarahost.net 
abdulla.cc 
privateforum.cn 
antiverminser.com 
antiverminser.net 
antiverminspro.com 
antiverminspro.net 
keratomir.biz 
sigmadown. biz 


spycrush. biz 
spycrush.com 
servicesupport.biz 
marketglobe.net 
mglobe.net 
mgrecruitment.net 
myns.bz 
anti-vermins.com 
antivermins.com 
antivermins.net 


Sample personally identifiable email address accounts known to have been involved in 
the campaign include: 


beaker@coalbucket.net 
tianshan.renjian@aol.com 
jmarquesj0O1@gmail.com 
youcai668@gmail.com 
domain@kingnic.com 
yb1309961@163.com 
Tlmasep@yahoo.com 
qq853838985@gmail.com 
admin@onamae.com 
ancientholdings@fastmail.fm 
konstantin@karyaev.com 
support@xz.com 
ellenhoward8@aol.com 
316411856@qq.com 
woaiganshen@outlook.com 
markbernss@usa.com 
aldrin@dsigndepartment.com 
sixixip@gmail.com 
xpj88kf@gmail.com 
xing015@gmail.com 
mauimi@outlook.com 


Related responding IPs known to have been involved in the campaign include: 


202.208.203.110 
69.43.161.160 
74.208.78.224 
208.91.197.46 
54.236.123.224 
23.239.97.219 


54.164.198.60 
52.1.32.25 
69.10.55.77 
195.46.39.1 
146.112.61.106 
207 .244.67.218 
47.91.170.222 
54.200.75.96 
192.185.235.174 
160.153.162.111 
50.63.202.67 
162.210.196.173 
199.115.115.118 
52.0.184.211 
35.208.54.125 
209.99.40.222 
104.27.134.56 
170.106.40.77 
103.232.215.133 
199.59.243.119 
156.236.53.105 
34.102.136.180 
170.106.51.116 
13.248.196.204 
45.140.220.229 
16.163.99.207 
170.106.51.21 
15.164.83.206 
198.105.244.111 
954.174.212.152 
216.239.36.21 
52.206.43.234 
81.169.145.162 
54.85.127.70 
104.239.213.7 
52.204.129.22 
81.169.145.68 
216.239.32.21 
216.239.38.21 


Sample related malicious and fraudulent MD5s known to have been involved in the 
campaign include: 


d671e4ac68cafdc4c31b07 766c6f25de 


371488a0a2aac5043a792da634eb3c90 
cb486dd7b115a8dc3818f820730a46d2 
4d10c5fffid43dd661028158300a67456 
f366bcc34040dee7a82b9765fa4 0021 
65395b64be1 743546fdee9e6481a90c2 
bb9b69f5e2af72a9fa63a76929550ec9 
19d57acaeOfcdcbff3fe0fb704c0d25e 
c494ef9708bb729eec261 32f72144137 
266758245de2bc212351d51be08f6cf4 
2045d1ae7e31629d8c703d4f0eefef12 
c617e0f8e1282edd042a4af507d1039d 
2165280f034346e3e7 727 5b6402bd4cc 
b4dda12c9d1b1e90de6b627de474dd3f 
91a26b1dee31f8f621 2a1369d238e714 
d67222ecab8f6a8e040d8f620e57 22ac 
62150e8a21f3eae4bc0d056550fc5d8c 
a804378814e87e5 7fcdf26308655b7 Of 
£6460c843a39d817d71a50f4b91d0565 
e73b5f031410e8e747339f562e566f06 
da272b1ebd445abd461b5e6496036996 
be6b0844a6fccd7cf2eed08988622931 
bea350476ef16457edd23d17405806ed 
beee8d67e3992a7 4fd6 1f94 149831662 
acbf1bd16cd5c9028a92c779c7db3a49 
c6431d2eb7d3d6960f0ed27ebe0e99fd 
de0a089b01eb9169b9f4f28e6f6e8a22 
91b8351f1716b430fdbe65304610c8c3 
447301cdb70e983bb42e9c76f7 180e69 
8befb39bb3be41021454d6f4fcc37914 
b12689cc9597f7afd66be67e6e281770 
6d89e592e 1 5c3fd3ac29e82b27 1db6be 
93c24f4c8f4c695f4 9da4 ffl eb54e624 
3¢3d13f005c282a1560eeeda3fb30f6a 
88bb37e768ee09dbf0129400b1b21d0a 
e65006bbbbf57e4e6 1b3d37dd3efaa09 
887d1b0db81644b7062fe6bbf4028f26 
ded0efc07efce42fe43090c53b0fe008 
c26e9a849f1d7dcb6750369a3ff8cbOb 
aa980df/7c6d7e743f66f03c675214d68 
59fb68465fd6 5afc34d3cadeac745fdd 
0764fae1e8693cc1923767f31487551a 
4490f3fa2648806af1 07642474 ficfc9 
f7566075a5bb01bc7164510aeb4786c1 
52ba15c5df95d2cd27f3592e8f3 10819 


e€01090430e8f92b23fa3d1235f007609 
2b431e0b905119af18fed40df35de3ed 
72199b1e953ef3cd3893480d54dbcd20 
429f3eaa8b639f2203b90db7 1025f80b 
ae36e9e5e86232d4089d4b85f0108a9 1 
e0ac96f289965bb1 744900e576e3777a 
1ecbbd189615f21f67a5ebccaaQOfifcc 
438e1ad848d951321 5abbb1770d54b03 
af1a4b24de1ec32215b64de808d1f08b 
6198f7a3f094d133456644de4b4 78346 
e54bbb1b5e6224d53078d4a387ea4b20 
ceal1ea53866f6a0f9432e1 ebdafc72fa 
9Yef53db8ee8ea807edd0f2e028fecch1 
Odb35be50c940d9de46b9bcaf5c61121 
125dcffd4f9172ee265f4 1fbe1d9d4f9 
039811725aa29654eccb34f057fc2020 
Odb01c3164fed9495821 cO06b4f184ea 
ee45d727e22c69e66a26bb1e7 189fce3 
3d3622ba9c645a8F19ca8879120c0263 
65370d5255fe2514f3204fc979153c64 
57e1044b4764bc5a5294af2db5eb968F 
b77e0ba0c699062a4 bfe903c4e9a7088 
8f35d70d8d0d9838e7d875edae667ale 
d88e6fb08b193159c02c26711d3aabba 
95351 769c8715a907 7ad4b78a6427aee 
844ddd0946d003fa4dfc6f049830f596 
ab5f9e0013bc49994f71fd28c314d6fa 
a91a924f097f55279695c30e5c9b2e7e 
27d4ed9f70f8cc5790ac3dc0a29964e1 
454a27e49a0fadab4803ac89510edb12 
4de46f80b2897 ad6c89339402c8621ac 
bbdb94d279ed62df56fa2039b03cc142 
08748 1a6e7b3b5ce6d2932839be51 abf 
37751f9f8bb8325c01 afe30640d05f6f 
9dccb49258afed8b99b43cfedf258927 
cae99de65c6dca2a4ec2b2038910be28 
40ccb4d4bd7beb2696c84b465c4cf72e 
dd411¢73923f297d0933f5bdfb42b0fa 
4823dfdd12e5787a20b3bfcca5c484cb 
30821453 134ce3d5fbfafdf33807df07 
ccd6268a2e0ff3b0e7 2456663d4985f7 
671dba5d66961b7e9b719f9b3d69f420 
487075430b5e095a6aa7fdd6057 58fff 
87538298d4d25034a078ad4cec9f0c7d 


32d52520cbf1 aeff1 bdb266b0000a5d6 
d643de9efe7b83ea2a6 39ffade148bd3 
d672aea797d4b8ff5a50b004e85d4f84 
d2cfa88fbaf4cfbe50b0c0bc5794d674 
1528a748a20b007 3f99efbcacc402564 
2b8be0644dab4c8aa4cebc015a8fatf1 
dc692755905b83a781108d4b0c6ba45e 


Sample related domains known to have been involved in the campaign include: 


dsyqdn.com 
qdicyi.com 
hvacpm.com 
arvzqg.com 
auracinematics.com 
protecca.com 
ejaton.com 
againstkitchen.net 
betterkitchen.net 
betterexcept.net 
againstproud.net 
againstprobable.net 
ns1.helpupdated.com 
ns1.helpupdated.org 
ns1.helpupdated.net 
ns1.helpupdates.net 
ns1.helpupdates.org 
aedouz.com 
donjul.com 
docouj.com 
dkuueg.com 
audcby.com 
amonshare.com 
wildflower.com.my 
it-technocom.com 
kalaycikardeslermetal.com 
bhongircollege.com 
yucelcavdar.com 
radson_master.fm.interiowo.pl 
3anet.com.tw 
dorowopatlok.kz 
cuwunderygju.kz 
curlisto.com 
cccfcpa.com 


awavry.com 
fekgry.com 
diiaqy.com 
cuerka.com 
bmzsco.com 
toolbardollars. biz 
toolbarurl.biz 
aytxoy.com 
gdyefc.com 
edmuee.com 
chuudi.com 
cedoqw.com 
drdawg.com 
izzmyh.com 
iwkxba.com 
hfnozq.com 
hebuyb.com 
kukutrustnet777.info 
falowmacfly-elektro.de 
www.kjwre9fqwieluoi.info 
www.railwayservices.be 
pingaksh.com 
youword.cn 
brokenbasket.net 
cgpwdo.com 
desirebasket.net 
buildingdevice.net 
buildingcontinue.net 
brokendiscover.net 
dtwhye.com 
giytai.com 
fescgx.com 
esuhzu.com 
cyvnvc.com 
betterbicycle.net 
againstbicycle.net 
dxnzwu.com 
betterbridge.net 
iuduau.com 
fhufps.com 
fdhfwr.com 
eqatnf.com 
dnkjan.com 
cwfrrb.com 


aghcbo.com 
rp.thedownloadmanagerapp.com 
os-test.thedownloadmanagerapp.com 
os2.thedownloadmanagerapp.com 
cdneu.thedownloadmanagerapp.com 
supnewdmn.com 

bewxoj.com 

baguse.com 

amuyak.com 

aaeelm.com 

rtvwerjyuver.com 
waerveybrstyhcerveantbe.com 
tvrstrynyvwstrtve.com 
culwdp.com 
cdneu.conicono.com 
rp.conicono.com 

iemzgd.com 

deyiwa.com 

kyhdem.com 

juycep.com 

ivxttp.com 

hq-pharma.org 

fewfwe.net 

fewfwe.com 

risabruno.com.br 
acibademinsaat.com 
acm-info.co.ma 
www.aanshuman.com 
holzofenpizza.net 
thelabelnashville.com 
yellowdevilgear.com 
ilo.brenz.pl 

gcibng.com 

gadvjw.com 

vjyrxr.com 

haskyy.com 

uekzdf.com 

abdulla.cc 

privateforum.cn 

kspekh.com 

aulich.com 

gestes-argile.com 
chameleonsport.co.uk 
tarahost.net 


srv4u.biz 
bulletproof-service.com 
transformation.rv.ua 
www.chameleonsport.co.uk 
autohaus-seevetal.com 
antiverminser.com 
aksdjo.com 
antiverminser.net 
antiverminspro.com 
myns.bz 

abdulla.cc 
antivermins.net 
servicesupport.biz 
hikuki.com 
antiverminspro.net 
gobiwi.com 
anti-vermins.com 
antivermins.com 
spylocked.com 
spywarelocked.com 
dosya.basakmatbaa.com 
techdownloads.org 
cmyj.co.th 
virusprotectpro. biz 
virusprotectpro.com 
marketglobe.net 
mglobe.net 
mgrecruitment.net 
Iskschool.com 
keratomir. biz 
horatyu.hi2.ro 
sigmadown. biz 
greentripholiday.com 
spycrush. biz 
spycrush.com 
fzapcs.com 

thplus.com 

mdlvjo.com 
ebyuuw.com 
www.buyaohenchang.com.cn 
p2p456.cn 
idc.8kaka.com 
2008.366ent.com 
shuabo.w88.08host.com 


rdrmngr.com 
www.universal101.com 
venturesonsite.com 
chatso.com 

crowdcontrol.net 
beginspent.net 
begincontrol.net 
alreadybuilt.net 
crowdspent.net 

2ndry.com 

efnxmt.com 

covzua.com 

bvvirn.com 

buyeen.com 

www.90sl.com 

gsqrpy.com 

outware. info 

dean.splints.ru 
www.friendlyduck.com 
bouncil.info 

www.adturtle. biz 

eweoku.com 

eineaj.com 

coyphr.com 

hitujs.com 

frrefe.com 
traderstruthrevealed.com 
duoaob.com 

ant.trenz.pl 
5j1fmwsvbhtiwrs3wqrOccfb3h.com 
41xd14kv5znmiwsl4xsebw5pzf.com 
3du0cy2w1deel10axxrcipbjqf.com 
pmcsxgrvcnrmsm1 tqpqekwa13f.com 
knwhbbjttyitha0i4dqinkjgjc.com 
gadyhoh.com 

gadycih.com 

afterking.net 

aftercold.ru 

iggthu.com 
downloads.updatesoftnow.com 
google.com 

dugfrq.com 

gacynyh.com 

gacykeh.com 


gacyhuw.com 
gaqyzoh.com 
gaqyvob.com 
crl.microsoft.com 
182.nsb927.com 
bothking.net 
afterthousand.net 
aftermile.net 

gaqyfah.com 

gaqydus.com 
ganyzub.com 
audiomasteringsearch.com 
Yain.net 
prabhuinfotech.com 
pisochne.net 
router.bitcomet.net 
182.ns792.com 
download.wk12345.com 
globaldoesitall.com 
austinremoterecording.com 
audiomasteringmeistro.com 
khjeyy.com 

kepara.com 

amusfc.com 

aiikva.com 
tangnhung.50webs.com 
agruse.com 

dom.lapok.hu 

imayrf.com 

fukifu.com 

etseyu.com 
ww1.superoptiresume.net 
yxhmhk.com 

susvni.com 

cythja.com 
cargocrystal.com 
ataiie.com 
www.google.com 
superoptiresume.net 
isuperopt.com 
os2.thecoolzipextractorapp.com 
cdnus.thecoolzipextractorapp.com 
usa.quebec-bin.com 
trackstatdm. biz 


trackstatapi.biz 
www.sigmadown.biz 

apgipv.com 

aliqfv.com 

zymkti.com 
rp.thecoolzipextractorapp.com 
cdneu.thecoolzipextractorapp.com 
meeraprabhu.com 
mevlanacicek.com 
survey-winner.com 
os-test.thecoolzipextractorapp.com 
mdesigner.ir 

samson.myns.bz 

micr.ae 

www.meandlove.com 
collegeclub.com.inbound10.mxlogic.net 
114.35.133.61 

0061.com 

mail.lb65.org 
gustavson.com.inbound10.mxlogic.net 
effem-com.mail.protection.outlook.com 
cdneu.thepdfreaderapp.com 
os.thepdfreaderapp.com 
cdnus.thepdfreaderapp.com 
4cnudksxtf3zpt5pd3tuwlp44b.com 
1oj2nztql2rrabfvm1s4uoceyqg.com 
debsoft.com 
dv20vwdvsnubkv40r5t20p5uce.com 
bxe3uonvjk4ohd1hslr425y5aa.com 
buydwm2x4abjge3sq3tenr4tkd.com 
1337.com 

1128.com 

1108.com 

0839.com 
mystats.allnetserveline.com 
ipgeoapi.com 

info.sasasene.com 
err.allnetserveline.com 
logs.allnetserveline.com 
dl.staticclientstorage.com 
static.hugedomains.com 
os.conicono.com 

img.conicono.com 
dpd.securestudies.com 


masteroids.com 

fast.wistia.net 

www.voko.WwZz.CZ 
www.rafozzo.yoyo.pl 
ic-dc.s3.amazonaws.com 
dev.visualwebsiteoptimizer.com 
code.jquery.com 
rp.sasasene.com 
bilenbiliyor.com 
amerihomesrealty.com 
al-ip4-mx-vip2.prodigy.net 
aktifkampanya.com 
www.dvd-audio-ripper.org 
aserp2030.oracle.com 
antispama.uat.edu.mx 
a.mx.loveandseek.com 
os2.windows8downloadscdn.com 
os.windows8downloadscdn.com 
update.winnerdownloadmanager.com 
captainspecial.net 
blackratoon.cn 
api.winnerdownloadmanager.com 
buildingairplane.net 
brokenlanguage.net 
brokenbefore.net 
brokenbanker.net 
biocornrice.ru 

beginspent.ru 

alreadyspent.ru 
desirebanker.net 

deckoviny.cz 

toinobv.3322.org 

c-drop.net 

$43.cnzz.com 

bggs.com 

www.ipshougou.com 
amba-tc.si 

www.52cps.com 

akdeniz.nl 

parkingcrew.net 

aesaua.com 
ns1.helpupdates.com 
bubblesetter.info 

byebey.com 


bveciu.com 
aplazo.com 
ausyaw.com 
riyah.net 

riyah.info 
lenda.info 
dnsqa-m03.c644a3e76e438794c399ea1ccdb9206b.me 
amlash.com 
dydsoo.com 
dpzfkc.com 
bygtnb.com 
bamhal.com 
ckxeqg.com 
cbygja.com 
bqyvko.com 
bffkwx.com 
iuhuar.com 
iepopl.com 
iahsik.com 
r1.newlordfun.info 
c2.cafecrocuser.com 
r2.loversion.com 
r1.loversion.com 
femdomofcolor.com 
dutchdoodles.nl 
r2.programrun.info 
c1.potbrainapp.info 
c2.loversion.com 
c1.loversion.com 
buildingbefore.net 
brokensuccess.net 
brokenfence.net 
brokendevice.net 
osorol.com 
ioonhg.com 
raymontis.co.uk 
quistsolutions.eu 
pleasanthillacres.net 
jk.libis.ru 
rwvbwf.com 
har.asyr.pl 
nimibu.com 
fillgrave.net 
classbetween.net 


qigtzy.com 
ayugoa.com 
Irstnusual.net 
learnteach.net 
learngrave.net 
www.gstatic.com 
i.instagram.com 
d47222a.ess.barracudanetworks.com 
www.yelp.com 
www.tiktok.com 
jankay.com 
gmcnuz.com 
reefxo.com 
oieykl.com 


We'll continue monitoring the campaign and will post updates as soon as new developments 
take place. 


